000035561 - RSA Identity Governance and Lifecycle NullPointerException when rules associated with Attribute Synchronization run

Document created by RSA Customer Support Employee on Oct 10, 2017
Version 1Show Document
  • View in full screen mode

Article Content

Article Number000035561
Applies ToRSA Product Set: Identity Governance and Lifecycle
RSA Version/Condition: 7.0.1, 7.0.2
Product Description: RSA Identity Governance and Lifecycle
IssueIntermittently rules scheduled to run after Unification fail with the following exception in the aveksaServer.log (/home/oracle/wildfly-8.2.0.Final/standalone/log/aveksaServer.log).  Examples of rules that typically run after unification include but are not limited to Attribute Change Rules, Provisioning Joiner/Mover and Provisioning Termination Rules.  Note that the actual rule name that fails may be different than what is shown in the example below.

09/03/2017 06:41:12.563 INFO (Exec Task Consumer#0) [com.aveksa.server.core.rule.action.changerequest.ChangeRequestActionHandler] Failed method=Create CR action failed for rule Attribute Sync
09/03/2017 06:41:12.637 ERROR (Exec Task Consumer#0) [com.aveksa.server.core.rule.RuleServiceUtil] Error method=Action com.aveksa.server.core.rule.action.changerequest.ChangeRequestAction@602f0ada
java.lang.RuntimeException: java.lang.NullPointerException

This may lead to other intermittent failures such as the failure to terminate users, or the failure to onboard new users from the rule. 
CauseThis issue may occur if the rule is executed against a partial set of data from a unification run.  This may occur if the customer has scheduled collections or unification using the WebServices collectIdentities or Unify WebServices calls via a cron task or other scheduler in addition to running the collections manually or from the Collections Scheduling menu.  
The problem occurs if a new collection or unification is scheduled before the previous collection has completed.   By design, rules configured to run after collections are scheduled at the time the collection is scheduled and they are placed in the scheduler queue so that they run after the unification step.  If there are multiple unifications in the scheduler queue, the scheduled rule may run out of sequence and will not detect the changes from the unification run.  When this occurs a NullPointerException is generated.
ResolutionThis issue has been resolved in the following versions.
  • RSA Identity Governance and Lifecycle 6.9.1 P25
  • RSA Identity Governance and Lifecycle 7.0.1 (please upgrade to 7.0.2)
  • RSA Identity Governance and Lifecycle 7.0.2 P04
 In these versions if an attempt is made to schedule a collection or unification and an existing collection is still pending, the WebServices call will fail with the following message:

409, Cannot schedule Identity Collections and/or Unification because they are already in the queue for processing

WorkaroundThe following techniques may be used to avoid or mitigate the chances of a  rule executing at the wrong time.
  • Use either the internal scheduler or the WebServices API but not both for scheduling collections.
  • Avoid scheduling multiple collections per day.
  • Use a wrapper around the WebServices API and use the WebServices getRunStatus to confirm that all runs have completed before scheduling an additional run. 
  • Disable the feature to run rules after unification and instead schedule the rules to run manually at a specific time. 
NotesIn all versions the default Scheduler under the Collectors tab in the Collectors Scheduling menu does not create a new daily, weekly or monthly collection until the original collection has completed.   If a collection task is started manually, and the previous collection has not completed the system will prevent the collection from being scheduled and will display the following error:

An identity data collection is already running or waiting in the queue. Cannot run it again.

User-added image